LDAP Open for Attack

Tuesday, November 1, 2016 @ 04:11 PM gHale

A new Zero Day attack vector relies on the Lightweight Directory Access Protocol (LDAP), which accesses username and password information in databases.

By leveraging amplification, attackers can inflict significant damage to their targets, said researchers at Corero Network Security.

IoT Attack Scare: Is Industry Ready?
Dirty COW Zero-Day Patched
Backdoor Hits WTP
New Backdoor Trojan

The technique could end up with an amplification factor of 46x, but could peak at 55x, researchers said.

“LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion,” said Dave Larson, CTO/COO at Corero Network Security. “Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network. Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude.”

The security company also said an attacker could send a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP). The use of address spoofing would result in the query appearing to originate from the intended victim.

Because the CLDAP service would respond to the spoofed address, unwanted network traffic would be immediately sent to the attacker’s intended target. What’s more, the use of amplification techniques would allow actors to intensify the size of attacks, because the LDAP servers generate responses much larger than the attacker’s queries.

In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x, according to Corero. The CLDAP Zero Day vulnerability has been observed leveraged in short but powerful attacks.

The use of this technique in live attacks could result in incidents that peak at tens of terabits per second in size, researchers said. Such attacks would be possible if this Zero Day DDoS attack vector combine with botnets such as Mirai.

Leave a Reply

You must be logged in to post a comment.